000022201 - How to export a multivalued Active Directory user attribute in HTTP headers during RSA ClearTrust authorization for a specific application

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022201
Applies ToRSA ClearTrust Agent 4.6 for Microsoft IIS
RSA ClearTrust 5.5.3
Microsoft Windows 2000 SP3
Microsoft Active Directory
IssueHow to export a multivalued Active Directory user attribute in HTTP headers during RSA ClearTrust authorization for a specific application
The user property is not being exported in HTTP headers
Resolution1. Create an appropriate user attribute in Microsoft Active Directory (or use an existing one) that can hold the values; this should be a multivalued attribute of type text. If you are using an existing attribute for prototyping, use a unused attribute such as "otherTelephone"; this is a multivalued text attribute. If you need to add a new attribute, you may want to leverage the already existing RSA ClearTrust schema extensions to AD, and when you create your own attribute, you make it a member of the ctscUserAuxClass. If not already done, you must make the ctscUserAuxClass an auxiliary class of the user objectclass. Steps on how to do this are described on page 53 of the RSA ClearTrust 5.5.3 Servers Installation and Configuration Guide.

2. After an AD user attribute is configured or selected, you must set up the corresponding user property in ClearTrust. This is described on page 37 of the RSA ClearTrust 5.5 Administrator's Guide. Select Properties > Add new > enter the property name otherTelephone and set the type to string. Select the checkboxes to publish to HTTP headers and for multivalued attribute.

3. Edit the Application in the ClearTrust Entitlements Manager (Admin GUI) that is used to authorize these resources, and select the "Exportable Properties" option. Mark the "otherTelephone" attribute as exportable for this application. NOTE: Make sure to click UPDATE on the main application screen after selecting DONE on the exportable properties page; otherwise, your changes will not be committed.

4. In the webagent.conf file, select the list of userproperties you wish to allow for export by adding the properties you defined above to the cleartrust.agent.userprops parameter, e.g. cleartrust.agent.userprops=otherTelephone

5. In the webagent.conf file, set the Agent to export user properties only at authorization time by setting the cleartust.agent.userprops_level=AuthZ. In this configuration, only user properties explicitly associated with an application will be exported.

6. In the webagent.conf file, set the cleartrust.agent.multivalue_userprops_oneset=True. This will format the output of the multivalued userproperties in the format otherTelephone=group1,group2,groupn.

7. Set up sample data in the otherTelephone attribute in AD either by editing the userproperty using the Edit User page of the ClearTrust Entitlements Manger or directly in the user object using ADSI edit snap in for the MMC

Test by authenticating with a valid user and observing the headers using a program such as dumpvars.asp or a Microsoft .NET page in debug mode.
Legacy Article IDa27360